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CLAIMS : 

What is claimed is: 

5 

1. A method for administering managed resources, 
comprising: 

defining a set of privileges for a managed resource; 

and 

10 attaching an access control list to an object that 

represents the managed resource, wherein the access 
control list assigns at least one privilege from the set 
of privileges to an entity* 

15 2. The method of claim 1, wherein the entity is an 
individual user . 

3. The method of claim 1, wherein the entity is a group 
of users. 

20 

4. The method of claim 1, wherein the managed resource 
is one of a plurality of managed resources arranged in a 
hierarchy. 

25 5. The method of claim 1, wherein the set of privileges 
comprises a set of operations that may be performed for 
the managed resource. 



30 



6. A method for administering a plurality of managed 
resources including at least one first level resource and 
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at least one second level resource, wherein each of the 
at least one second level resource is a subresource of a 
first level resource, comprising: 

defining a first set of permissions for the at least 
5 one first level resource; and 

attaching a first access control list to a first 
object that represents a first managed resource, 

wherein the first managed resource is a first level 
resource and the first access control list controls 
10 access to the first managed resource and at least one 
subresource of the first managed resource based on the 
first set of permissions. 

7. The method of claim 6, wherein the first entity is 
15 an individual user. 

8. The method of claim 6, wherein the first entity is a 
group of users. 

20 9. The method of claim 6, wherein the set of privileges 
comprises a set of operations that may be performed for 
the at least one first level resource. 

10. The method of claim 6, further comprising: 
25 defining a second set of permissions for a second 

managed resource; and 

attaching a second access control list to a second 

object that represents the second managed resource, 

wherein the second access control list controls access to 
30 the second managed resource and at least one subresource 

of the second managed resource based on the second set of 
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permissions . 

11. A method for administering managed resources, 
comprising : 

5 receiving a request from a user to perform an 

operation on a managed resource; 

finding an access control list corresponding to the 
managed resource; and 

determining whether the operation is permitted for 
10 the user based on the access control list. 

12. The method of claim 11, wherein the managed resource 
is one of a plurality of managed resources arranged in a 
hierarchy and wherein the step of finding an access 

15 control list comprises searching the hierarchy for an 
access control list which is attached closest to the 
managed resource. 

13. The method of claim 11, wherein the step of finding 
20 an access control list comprises finding a first access 

control list that assigns a first permission for the user 
and a second access control list that assigns a second 
permission for the user. 

25 14. The method of claim 13, wherein the step of 

determining whether the operation is permitted for the 
user comprises selecting the access control list, from 
the first access control list and the second access 
control list, with a permission that more specifically 

30 matches the user. 
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15. The method of claim 13, wherein the first permission 
identifies a first set of operations permitted for the 
user and the second permission identifies a second set of 
operations permitted for the user, and 
5 wherein the step of determining whether the 

operation is permitted for the user comprises performing 
an OR operation on the first set of operations and the 
second set of operations. 

10 16. The method of claim 11, wherein the method is 
performed by an authorization server. 

17. An apparatus for administering managed resources, 
comprising: 

15 definition means for defining a set of privileges 

for a managed resource; and 

attachment means for attaching an access control 
list to an object that represents the managed resource, 
wherein the access control list assigns at least one 

20 privilege from the set of privileges to an entity. 

18. The apparatus of claim 17, wherein the entity is an 
individual user. 

25 19. The apparatus of claim 17, wherein the entity is a 
group of users. 
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20. The apparatus of claim 17, wherein the managed 
resource is one of a plurality of managed resources 
arranged in a hierarchy. 
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21. The apparatus of claim 17, wherein the set of 
privileges comprises a set of operations that may be 
performed for the managed resource. 

5 22. An apparatus for administering a plurality of 
managed resources including at least one first level 
resource and at least one second level resource, wherein 
each of the at least one second level resource is a 
subresource of a first level resource, comprising: 

10 definition means for defining a first set of 

permissions for the at least one first level resource; 
and 

attachment means for attaching a first access 
control list to a first object that represents a first 
15 managed resource, 

wherein the first managed resource is a first level 
resource and the first access control list controls 
access to the first managed resource and at least one 
subresource of the first managed resource based on the 
20 first set of permissions. 

23. The apparatus of claim 22, wherein the first entity 
is an individual user. 

25 24. The apparatus of claim 22, wherein the first entity 
is a group of users. 
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25. The apparatus of claim 22, wherein the set of 
privileges comprises a set of operations that may be 
performed for the at least one first level resource. 
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26. The apparatus of claim 22, further comprising: 
means for defining a second set of permissions for a 

second managed resource; and 

means for attaching a second access control list to 
5 a second object that represents the second managed 

resource, wherein the second access control list controls 
access to the second managed resource and at least one 
subresource of the second managed resource based on the 
second set of permissions. 

10 

27. An apparatus for administering managed resources, 
comprising : 

receipt means for receiving a request from a user to 
perform an operation on a managed resource; 
15 search means for finding an access control list 

corresponding to the managed resource; and 

determination means for determining whether the 
operation is permitted for the user based on the access 
control list . 

20 

28. The apparatus of claim 27, wherein the managed 
resource is one of a plurality of managed resources 
arranged in a hierarchy and wherein the search means 
comprises means for searching the hierarchy for an access 

25 control list which is attached closest to the managed 
resource . 

29. The apparatus of claim 27, wherein the search means 
comprises means for finding a first access control list 

30 that assigns a first permission for the user and a second 
access control list that assigns a second permission for 
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the user* 

30. The apparatus of claim 29, wherein the determination 
means comprises means for selecting the access control 

5 list, from the first access control list and the second 
access control list, with a permission that more 
specifically matches the user. 

31. The apparatus of claim 29, wherein the first 

10 permission identifies a first set of operations permitted 
for the user and the second permission identifies a 
second set of operations permitted for the user, and 

wherein the determination means comprises means for 
performing an OR operation on the first set of operations 

15 and the second set of operations . 

32. The apparatus of claim 27, wherein the apparatus 
comprises an authorization server. 

20 33. A computer program product, in a computer readable 
medium, for administering managed resources, comprising: 
instructions for defining a set of privileges for a 
managed resource; and 

instructions for attaching an access control list to 
25 an object that represents the managed resource, wherein 
the access control list assigns at least one privilege 
from the set of privileges to an entity. 

34. A computer program product, in a computer readable 
30 medium, for administering a plurality of managed 

resources including at least one first level resource and 
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at least one second level resource, wherein each of the 
at least one second level resource is a subresource of a 
first level resource, comprising: 

instructions for defining a first set of permissions 
5 for the at least one first level resource; and 

instructions for attaching a first access control 
list to a first object that represents a first managed 
resource, 

wherein the first managed resource is a first level 
10 resource and the first access control list controls 
access to the first managed resource and at least one 
subresource of the first managed resource based on the 
first set of permissions. 

15 35. A computer program product, in a computer readable 
medium, for administering managed resources, comprising: 
instructions for receiving a request from a user to 
perform an operation on a managed resource; 

instructions for finding an access control list 
20 corresponding to the managed resource; and 

instructions for determining whether the operation 
is permitted for the user based on the access control 
list. 



